Enter to open, tab to navigate, enter to select
Drafting an Online Privacy Policy
Practical Law Legal Update 1-544-3025 (Approx. 4 pages)
Drafting an Online Privacy Policy
by Practical Law Intellectual Property & Technology
| Published on 08 Oct 2013 • USA (National/Federal) |
An overview of key issues to consider and address when drafting a privacy policy for a website, mobile application or other online service.
Operators of websites, mobile applications and other online services (operators) that collect user information should post a privacy policy to disclose the operator's information collection and privacy practices. In some cases, a privacy policy is required by law. In others, posting an accurate and well-drafted policy can reassure users that the operator will not use their personal information irresponsibly and help minimize the risk of liability by accurately setting users' expectations.
Among other requirements, a privacy policy must accurately reflect the operator's practices to comply with federal and state statutes prohibiting unfair or deceptive business practices, including Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45).
In addition, the operator should ensure its privacy disclosures meet specific requirements under any laws that may apply to it based on, for example, its target audience or industry. These may include:
- The federal Children's Online Privacy Protection Act (COPPA), regulating the online privacy of children under 13.
- The California Online Privacy Protection Act, which generally requires operators that collect personal information of California residents to have online privacy policies that meet specific requirements.
- Sector-specific federal laws, including:
- the Gramm-Leach-Bliley Act (GLBA), regulating personal information held by financial institutions; and
- the Health Insurance Portability and Accountability Act (HIPAA), regulating health and medical information held by healthcare providers and other healthcare entities.
An effective privacy policy should clearly define its scope and include disclosures consistent with the FTC's fair information practice principles.
Policy Scope
The policy should set out:
- Its effective date or when it was last updated and how the operator notifies users of changes to the policy.
- Whether it applies only to information collected on or through the site or service or more broadly to include information collected or received, for example:
- in e-mail or text messages;
- through related sites or applications; or
- offline.
Fair Information Practice Principles
The privacy policy should include disclosures consistent with the FTC's fair information practice principles concerning the collection, use, transfer and protection of personal information:
- Notice.
- Choice.
- Access.
- Security.
Notice
The policy should disclose:
- The person or entity that is collecting the information, typically the operator.
- The types of information that may be collected and how it is collected. In drafting the privacy disclosure, the operator should broadly consider information that:
- users provide voluntarily, for example, by filling in forms; and
- the operator collects automatically through cookies and other tracking technology.
- How the operator may use the information.
- The operator's polices for disclosing the information, including:
- third parties to whom the operator may disclose the information; and
- circumstances under which disclosures may be made.
- The choices and methods the operator offers users to limit the collection, use and disclosure of their personal information.
Choice
Operators generally should, and in some cases may be legally required to, give users the opportunity to choose whether their personal information may be collected, used or disclosed under certain circumstances or for certain purposes. The policy should describe:
- Users' choices.
- Whether the choice can be made on an opt-in or opt-out basis.
- How users can communicate their opt-in or opt-out requests.
Access
The policy should describe whether and how users can access, correct and remove any personal information they have provided. It should also consider and identify any limitations on users' ability to change or delete their information, for example, the operator may:
- Require certain information for a user's account to remain active.
- Refuse to allow changes that may violate any law or legal requirement.
Security
The policy should describe the steps the operator takes to protect personal information. Depending on the nature of the site, app or service and the types of personal information it collects, the operator may set out:
- Only general disclosures.
- Specific measures that are required based on applicable laws.
For a sample website privacy policy, see Standard Document, Website Privacy Policy.
For a sample mobile app privacy policy, see Standard Document, Mobile Application Privacy Policy.
For more information on privacy considerations and risks raised by mobile applications, see Practice Note, Mobile App Privacy: The Hidden Risks.